qcacld-3.0: Fix out-of-bounds read in extract_ndp_sch_update_tlv

Update WMI_NDL_SCHEDULE_UPDATE_EVENTID handling for possible out
of bounds read when fixed_params->num_channels is greater than
TLV length of NDL channel list or NSS list and fixed_params->
num_ndp_instances is greater than TLV length of NDP Instance list.

Change-Id: Idbd74e30868597c9787095372516b7d7dd12481b
CRs-fixed: 2327673

1 files changed, 15 insertions, 0 deletions

diff --git a/core/wma/src/wma_nan_datapath.c b/core/wma/src/wma_nan_datapath.c
index 59a0861abf0c..dff36acb30ee 100644
--- a/core/wma/src/wma_nan_datapath.c
+++ b/core/wma/src/wma_nan_datapath.c
@@ -934,6 +934,21 @@ static int wma_ndp_sch_update_event_handler(void *handle, uint8_t *evinfo,
 		 fixed_params->flags, fixed_params->num_channels,
 		 fixed_params->num_ndp_instances);
 
+	if (fixed_params->num_channels > event->num_ndl_channel_list ||
+	    fixed_params->num_channels > event->num_nss_list) {
+		WMI_LOGE(FL("Channel count %d greater than NDP Ch list TLV len (%d) or NSS list TLV len (%d)"),
+			 fixed_params->num_channels,
+			 event->num_ndl_channel_list,
+			 event->num_nss_list);
+		return QDF_STATUS_E_INVAL;
+	}
+	if (fixed_params->num_ndp_instances > event->num_ndp_instance_list) {
+		WMI_LOGE(FL("NDP Instance count %d greater than NDP Instancei TLV len %d"),
+			 fixed_params->num_ndp_instances,
+			 event->num_ndp_instance_list);
+		return QDF_STATUS_E_INVAL;
+	}
+
 	if (fixed_params->vdev_id >= wma_handle->max_bssid) {
 		WMA_LOGE(FL("incorrect vdev_id: %d"), fixed_params->vdev_id);
 		return -EINVAL;